Hi team,
I am doing a PoC on ELK and have come across an issue. I have had a look at many topics on discuss.elastic.co and StackOverflow, but none seems to have helped.
I am trying to configure multiline events via Filebeat and consuming them in Logstash. The issue that I am facing is that even after setting the multiline configuration, I still see the lines of a stacktrace as individual events in Logstash.
Since Logstash receives the lines of the stacktrace not as a single event but as individual lines, it is leading to a _grokparsefailure at that end, which is completely understandable as FB should club those lines into the same event prior to sending them to Logstash.
Other single line events are working expectedly and I am able to visualise them on Kibana.
filebeat.yml:
filebeat.inputs:
- type: s3
queue_url: https://sqs.aaaaa.amazonaws.com/xxxxxxxx/zzzzzz
visibility_timeout: 300s
multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
multiline.negate: true
multiline.match: after
Logstash configuration:
input {
beats {
port => 5044
host => "0.0.0.0"
}
}
filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:logType} %{LOGLEVEL:logLevel}%{SPACE}\[%{GREEDYDATA:key1}\] \[%{GREEDYDATA:key2}\] \[%{GREEDYDATA:key3}\] \[%{GREEDYDATA:sourceIP}\] %{GREEDYDATA:message}"}
overwrite => [ "message" ]
}
date {
match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"]
}
}
Here is a sample log statement I am trying to combine into a single event:
2020-08-18 00:30:52,481 detailed_logs ERROR [abc] [xyz] [def] [127.0.0.1] Exception raised. Trace:
2020-08-18 00:30:52,483 detailed_logs ERROR Traceback (most recent call last):
File "/Users/vvv/Documents/ttt.py", line 93, in get
x = y.perform(abc)
File "/Users/vvv/Documents/ttt.py", line 283, in operate
raise exception
File "/Users/vvv/Documents/ttt.py", line 169, in operate
d["abb"] = n["xy"]
AttributeError: 'model' object has no attribute 'create1d_on'
Any nudge in the right direction would be appreciated. Thanks in advance.